Search in sources :

Example 1 with LwM2MClientCredentials

use of org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials in project thingsboard by thingsboard.

the class TbLwM2MDtlsCertificateVerifier method verifyCertificate.

@Override
public CertificateVerificationResult verifyCertificate(ConnectionId cid, ServerNames serverName, InetSocketAddress remotePeer, boolean clientUsage, boolean verifySubject, boolean truncateCertificatePath, CertificateMessage message) {
    CertPath certChain = message.getCertificateChain();
    if (certChain == null) {
        // We trust all RPK on this layer, and use TbLwM2MAuthorizer
        PublicKey publicKey = message.getPublicKey();
        return new CertificateVerificationResult(cid, publicKey, null);
    } else {
        try {
            boolean x509CredentialsFound = false;
            X509Certificate[] chain = certChain.getCertificates().toArray(new X509Certificate[0]);
            for (X509Certificate cert : chain) {
                try {
                    if (!skipValidityCheckForClientCert) {
                        cert.checkValidity();
                    }
                    TbLwM2MSecurityInfo securityInfo = null;
                    if (staticCertificateVerifier != null) {
                        HandshakeException exception = staticCertificateVerifier.verifyCertificate(cid, serverName, remotePeer, clientUsage, verifySubject, truncateCertificatePath, message).getException();
                        if (exception == null) {
                            try {
                                String endpoint = config.getTrustSslCredentials().getValueFromSubjectNameByKey(cert.getSubjectX500Principal().getName(), "CN");
                                if (StringUtils.isNotEmpty(endpoint)) {
                                    securityInfo = securityInfoValidator.getEndpointSecurityInfoByCredentialsId(endpoint, CLIENT);
                                }
                            } catch (LwM2MAuthException e) {
                                log.trace("Certificate trust validation failed.", e);
                            }
                        } else {
                            log.trace("Certificate trust validation failed.", exception);
                        }
                    }
                    // if not trust or cert trust securityInfo == null
                    String strCert = SslUtil.getCertificateString(cert);
                    String sha3Hash = EncryptionUtil.getSha3Hash(strCert);
                    if (securityInfo == null || securityInfo.getMsg() == null) {
                        try {
                            securityInfo = securityInfoValidator.getEndpointSecurityInfoByCredentialsId(sha3Hash, CLIENT);
                        } catch (LwM2MAuthException e) {
                            log.trace("Failed find security info: {}", sha3Hash, e);
                        }
                    }
                    ValidateDeviceCredentialsResponse msg = securityInfo != null ? securityInfo.getMsg() : null;
                    if (msg != null && StringUtils.isNotEmpty(msg.getCredentials())) {
                        LwM2MClientCredentials credentials = JacksonUtil.fromString(msg.getCredentials(), LwM2MClientCredentials.class);
                        if (!credentials.getClient().getSecurityConfigClientMode().equals(LwM2MSecurityMode.X509)) {
                            continue;
                        }
                        X509ClientCredential config = (X509ClientCredential) credentials.getClient();
                        String certBody = config.getCert();
                        String endpoint = config.getEndpoint();
                        if (StringUtils.isBlank(certBody) || strCert.equals(certBody)) {
                            x509CredentialsFound = true;
                            DeviceProfile deviceProfile = msg.getDeviceProfile();
                            if (msg.hasDeviceInfo() && deviceProfile != null) {
                                sessionStorage.put(endpoint, new TbX509DtlsSessionInfo(cert.getSubjectX500Principal().getName(), msg));
                                try {
                                    securityStore.putX509(securityInfo);
                                } catch (NonUniqueSecurityInfoException e) {
                                    log.trace("Failed to add security info: {}", securityInfo, e);
                                }
                                break;
                            }
                        } else {
                            log.trace("[{}][{}] Certificate mismatch. Expected: {}, Actual: {}", endpoint, sha3Hash, strCert, certBody);
                        }
                    }
                } catch (CertificateEncodingException | CertificateExpiredException | CertificateNotYetValidException e) {
                    log.error(e.getMessage(), e);
                }
            }
            if (!x509CredentialsFound) {
                AlertMessage alert = new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.INTERNAL_ERROR);
                throw new HandshakeException("x509 verification not enabled!", alert);
            }
            return new CertificateVerificationResult(cid, certChain, null);
        } catch (HandshakeException e) {
            log.trace("Certificate validation failed!", e);
            return new CertificateVerificationResult(cid, e, null);
        }
    }
}
Also used : CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateExpiredException(java.security.cert.CertificateExpiredException) PublicKey(java.security.PublicKey) LwM2MAuthException(org.thingsboard.server.transport.lwm2m.server.client.LwM2MAuthException) CertificateEncodingException(java.security.cert.CertificateEncodingException) X509Certificate(java.security.cert.X509Certificate) CertificateVerificationResult(org.eclipse.californium.scandium.dtls.CertificateVerificationResult) X509ClientCredential(org.thingsboard.server.common.data.device.credentials.lwm2m.X509ClientCredential) DeviceProfile(org.thingsboard.server.common.data.DeviceProfile) NonUniqueSecurityInfoException(org.eclipse.leshan.server.security.NonUniqueSecurityInfoException) LwM2MClientCredentials(org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials) CertPath(java.security.cert.CertPath) HandshakeException(org.eclipse.californium.scandium.dtls.HandshakeException) ValidateDeviceCredentialsResponse(org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse) AlertMessage(org.eclipse.californium.scandium.dtls.AlertMessage)

Example 2 with LwM2MClientCredentials

use of org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials in project thingsboard by thingsboard.

the class LwM2mCredentialsSecurityInfoValidator method createSecurityInfo.

/**
 * Create new SecurityInfo
 *
 * @return SecurityInfo
 */
private TbLwM2MSecurityInfo createSecurityInfo(String endpoint, ValidateDeviceCredentialsResponse msg, LwM2mTypeServer keyValue) {
    TbLwM2MSecurityInfo result = new TbLwM2MSecurityInfo();
    LwM2MClientCredentials credentials = JacksonUtil.fromString(msg.getCredentials(), LwM2MClientCredentials.class);
    if (credentials != null) {
        result.setMsg(msg);
        result.setDeviceProfile(msg.getDeviceProfile());
        result.setEndpoint(credentials.getClient().getEndpoint());
        // if ((keyValue.equals(CLIENT))) {
        switch(credentials.getClient().getSecurityConfigClientMode()) {
            case NO_SEC:
                createClientSecurityInfoNoSec(result);
                break;
            case PSK:
                createClientSecurityInfoPSK(result, endpoint, credentials.getClient());
                break;
            case RPK:
                createClientSecurityInfoRPK(result, endpoint, credentials.getClient());
                break;
            case X509:
                createClientSecurityInfoX509(result, endpoint);
                break;
            default:
                break;
        }
        if (keyValue.equals(BOOTSTRAP)) {
            LwM2MBootstrapConfig bootstrapCredentialConfig = new LwM2MBootstrapConfig(((Lwm2mDeviceProfileTransportConfiguration) msg.getDeviceProfile().getProfileData().getTransportConfiguration()).getBootstrap(), credentials.getBootstrap().getBootstrapServer(), credentials.getBootstrap().getLwm2mServer());
            result.setBootstrapCredentialConfig(bootstrapCredentialConfig);
        }
    }
    return result;
}
Also used : LwM2MBootstrapConfig(org.thingsboard.server.transport.lwm2m.bootstrap.secure.LwM2MBootstrapConfig) LwM2MClientCredentials(org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials)

Aggregations

LwM2MClientCredentials (org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials)2 PublicKey (java.security.PublicKey)1 CertPath (java.security.cert.CertPath)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 CertificateExpiredException (java.security.cert.CertificateExpiredException)1 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)1 X509Certificate (java.security.cert.X509Certificate)1 AlertMessage (org.eclipse.californium.scandium.dtls.AlertMessage)1 CertificateVerificationResult (org.eclipse.californium.scandium.dtls.CertificateVerificationResult)1 HandshakeException (org.eclipse.californium.scandium.dtls.HandshakeException)1 NonUniqueSecurityInfoException (org.eclipse.leshan.server.security.NonUniqueSecurityInfoException)1 DeviceProfile (org.thingsboard.server.common.data.DeviceProfile)1 X509ClientCredential (org.thingsboard.server.common.data.device.credentials.lwm2m.X509ClientCredential)1 ValidateDeviceCredentialsResponse (org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse)1 LwM2MBootstrapConfig (org.thingsboard.server.transport.lwm2m.bootstrap.secure.LwM2MBootstrapConfig)1 LwM2MAuthException (org.thingsboard.server.transport.lwm2m.server.client.LwM2MAuthException)1